CPCSC Level 1 & 2 Consulting
Be CPCSC ready before your next DND or PSPC solicitation.
We prepare defence suppliers for CPCSC Level 1 and Level 2 with practical ITSP.10.171 scope review, evidence planning, and control review tied to contract-designated information below the classified level. We prepare your team for the work it must own and explain; accredited bodies handle official certification.
Next available: 7-10 business days | 30-minute technical discussion | No obligation
- CISSP and CMMC CCP-led readiness support
- ITSP.10.171 gap analysis
- Evidence and documentation plan
- Control and evidence review before solicitation pressure
- CISSP
- CMMC CCP
- AWS Solutions Architect Pro
- Ottawa-based
CPCSC Level 1 Guide
Need the CPCSC Level 1 guide first?
Get the guide before you book a call. It helps you compare ITSP.10.171 expectations, contract-readiness questions, and the evidence your team may need to organise.
Get the CPCSC Level 1 Guide
Not ready for a full engagement?
Start with a CPCSC Level 1 readiness review
If you want to understand your scope, evidence, and documentation gaps before committing to a larger project, a focused readiness review is the practical first step. It is independent readiness support, not certification.
Book a CPCSC readiness reviewApplicability
Does CPCSC apply to your organisation?
CPCSC may apply if your organisation bids on, supports, or subcontracts into Canadian defence or federal procurement work where contract-designated specified information or other federal contractual sensitive information below the classified level must be protected.
You may need CPCSC readiness support if you:
- Bid on or support DND or PSPC defence contracts.
- Handle contract-designated specified information or federal contractual sensitive information below the classified level.
- Operate as a subcontractor in a Canadian defence supply chain.
- Provide IT, MSP, cloud, software, engineering, or manufacturing services to defence suppliers.
- Need to answer CPCSC questions in an RFP, renewal, supplier questionnaire, or CanadaBuys profile.
- Are unsure whether Level 1, Level 2, or a future higher level applies to your environment.
Unsure where you fit? Book a readiness call before you commit to major remediation spend.
Level 1 vs Level 2
CPCSC Level 1 vs Level 2: what changes?
CPCSC requirements are being phased into defence procurement. The right readiness path depends on your contract language, data sensitivity, supply-chain role, and current control maturity.
| Area | Level 1 | Level 2 |
|---|---|---|
| Typical use case | Baseline cyber hygiene for suppliers in scope of designated defence contracts. | More rigorous protection for organisations handling higher-risk or more sensitive contractual information. |
| Assessment model | Annual self-assessment under current Government of Canada guidance. | Triannual external cyber security assessment led by an accredited certification body, plus annual affirmation. |
| Readiness focus | Scope, baseline controls, policies, evidence, attestation records. | 98-control readiness, deeper evidence, assessment preparation, remediation planning, and annual affirmation planning. |
| Common blockers | Unclear scope, missing policies, incomplete MFA/access controls, weak evidence trail. | Complex environments, inherited/cloud responsibilities, supplier flowdown, and technical measures where the contract scope or control mapping requires them. |
| How Pilotcore helps | Gap review, control mapping, documentation, evidence checklist, technical remediation plan. | Readiness roadmap, technical implementation guidance, evidence preparation, control review. |
Program details and timing should be confirmed against current Government of Canada, PSPC, and Canadian Centre for Cyber Security guidance and the specific solicitation language.
Our Process
How Pilotcore prepares you for CPCSC readiness
-
Assess
Gap analysis against ITSP.10.171.
The first deliverable is a board-ready ITSP.10.171 gap report, prioritised remediation roadmap, and budget concrete enough to brief leadership before any major spend. Actual technical evaluation of your systems, policies, and procedures, not a generic questionnaire.
- Prioritised roadmap of missing ITSP.10.171 controls
- Implementation complexity and realistic timeline
- Board-ready budget presentation
-
Implement
Technical control implementation.
We support implementation of the technical and governance controls in scope for your contract and environment. This may include access control, secure configuration, evidence collection, and, where the scope requires it, segmentation, encryption, logging, and incident response processes.
- Hands-on support for configurations your team can maintain
- Architecture diagrams and runbooks
- Evidence automation workflows
-
Document
Policies, procedures, and CPCSC documentation support.
We help your team prepare documentation for the supplier systems and workflows that handle contract-designated information below the classified level. That can include an SSP-style system description, supporting cybersecurity policies, operational procedures, and evidence notes mapped to ITSP.10.171 and the CPCSC level required by the contract. Pilotcore supports the documentation process; your organisation owns, approves, and maintains the records.
- CPCSC documentation mapped to in-scope ITSP.10.171 requirements
- Policies and procedures tied to implemented controls and contract scope
- Evidence notes organised for self-assessment, assessor review, or renewal planning
-
Review
Control and evidence review.
A Pilotcore-run readiness review checks whether in-scope controls, records, and evidence line up before self-attestation or a future official evaluation. We help your team understand what exists, what is missing, and what it must maintain. Pilotcore is not an accredited certification body; official higher-level assessments use accredited certification bodies or third-party assessors under Canadian program rules.
- Control and evidence gap notes
- Team preparation for self-assessment or assessor questions
- CanadaBuys supplier profile support when required by the contract path
No Black Box Consulting
Before self-attestation or a future external CPCSC assessment, you will know what is missing, what changed, what evidence exists, and what your team still owns. If our agreed preparation work is not clear enough for your team to maintain or explain, we keep working until it is. Conditions: timely access to systems and staff, agreed staffing on your side throughout the engagement, no material scope change beyond the documented baseline, and decisions made within agreed review windows. Pilotcore is not an accredited certification body and we make no claim about assessment outcomes.
Deliverables
What you can expect from a CPCSC readiness engagement
Every environment is different, but a practical CPCSC readiness project should leave your team with usable outputs, not just generic advice.
Typical deliverables may include:
- CPCSC applicability and scope notes
- ITSP.10.171 control gap report
- Prioritised remediation roadmap
- Evidence checklist and evidence tracker
- Policy and procedure recommendations
- System and security-boundary diagram recommendations
- Microsoft 365, cloud, endpoint, logging, and backup control recommendations
- Executive summary for leadership or bid/no-bid planning
- Control and evidence review notes for self-assessment or assessor review
- Next-step plan for Level 1 self-attestation or Level 2 preparation
Timeline
How long does CPCSC readiness take?
Readiness timelines depend on your scope, existing security maturity, documentation quality, and whether the work is Level 1 baseline readiness or Level 2 preparation.
- 1-2 weeks
- Initial scope review and gap analysis for a focused environment.
- 2-6 weeks
- Level 1 readiness improvements for a smaller team with mature Microsoft 365/cloud controls and limited documentation gaps.
- 6-12+ weeks
- Larger environments, missing policies, weak identity controls, unclear asset scope, or deeper technical remediation.
- Longer roadmap
- Level 2 readiness, complex supplier chains, multi-site environments, or heavy cloud and on-premises integration.
These are planning ranges, not guarantees. Contract language and official program guidance should drive final readiness timing.
Cost factors
What affects CPCSC readiness cost?
Rather than starting with a generic package, scope CPCSC readiness around the specific gaps that could block your contract timeline.
- Number of users, devices, systems, and locations
- Whether cloud, Microsoft 365, endpoint, backup, and logging controls are already mature
- Existing SOC 2, ISO 27001, CMMC, NIST 800-171, or security-program documentation
- Clarity of in-scope data, systems, and subcontractor responsibilities
- Amount of missing policy and procedure documentation
- Whether your team needs advisory support only or hands-on technical implementation
- Level 1 self-assessment versus Level 2 preparation
Why Pilotcore for CPCSC
Canadian defence expertise your team can explain.
CPCSC readiness work requires understanding of ITSP.10.171, PSPC processes, and Canadian defence procurement. We connect cybersecurity controls to contract readiness.
-
CCP + CISSP certified lead.
Publicly verifiable credentials from recognised certification bodies.
-
Infrastructure as Code.
Terraform modules, not spreadsheets. Controls you can version, audit, and redeploy across environments.
-
Dual-track CPCSC + CMMC.
Shared control implementation can reduce duplicate effort across PSPC and DoD programs, depending on contract scope and assessor interpretation.
-
Knowledge transfer, not lock-in.
Your team owns the runbooks, playbooks, and IaC modules after delivery. We coach, not gatekeep.
Book a CPCSC Readiness Call
30-minute technical discussion covering your current posture against ITSP.10.171, realistic timeline, and the preparation path that fits your team. No obligation.
Frequently asked
Frequently Asked Questions About CPCSC Compliance
The seven questions Canadian defence-supplier engineering leads ask most often before scoping a CPCSC engagement.
-
What is CPCSC Level 1 and which Canadian defence contractors need it?
CPCSC (Canadian Program for Cyber Security Certification) Level 1 applies when a Canadian defence procurement requires it and the supplier handles contract-designated specified information below the classified level on supplier systems, networks, or applications. Level 1 uses 13 requirements and controls from ITSP.10.171, published by the Canadian Centre for Cyber Security, and is an annual self-assessment. Government guidance says Level 1 became available in April 2026 and that requirements may appear in select defence contracts as early as summer 2026, with compliance required at a later date. Always confirm the clause and scope in the solicitation.
-
How long does CPCSC Level 1 implementation take for Canadian defence contractors?
CPCSC Level 1 readiness commonly takes 1-2 weeks for initial scope and gap review, then 2-12+ weeks for remediation depending on identity, endpoint, cloud, evidence, and policy gaps. More complex environments or Level 2 readiness planning can take longer. Start from the solicitation clause and target award window rather than from a generic deadline.
-
How much does CPCSC Level 1 implementation cost for small contractors?
CPCSC Level 1 readiness and remediation costs vary based on organisation size, existing security posture, contract scope, and whether you take a DIY or consultant-supported approach. Key cost areas include technical controls, gap analysis, implementation guidance, internal labour, documentation, and evidence maintenance. Level 1 uses self-assessment under current guidance, so third-party assessment fees are not part of the Level 1 model. Pilotcore's fixed-scope engagements can reduce budget uncertainty with a scoped estimate based on your baseline and contract scope before starting, plus documented change-control checkpoints if scope shifts.
-
Can Canadian companies implement CPCSC themselves or do they need a consultant?
Canadian defence contractors can implement CPCSC Level 1 themselves if they have security expertise, ITSP.10.171 familiarity, engineering capacity, and a disciplined evidence process. Many smaller suppliers still benefit from consultant support because scope, cloud responsibilities, supplier boundaries, and evidence ownership can be hard to prove under time pressure. Pilotcore can provide a hybrid approach: gap analysis and roadmap from us, internal implementation with guided technical support from our team.
-
How does CPCSC differ from CMMC for companies working with both Canadian and US defence?
CPCSC applies when Canadian defence procurement requires it, while CMMC applies to US DoD contracts. CPCSC centers on federal Specified Information and ITSP.10.171. CMMC centers on FCI, CUI, FAR 52.204-21, NIST SP 800-171, and the CMMC model. CPCSC Level 2 is under development and is described as 98 controls, external assessment every three years by an accredited certification body, and annual affirmation. Canada may accept valid CMMC status case by case after scope confirmation, but suppliers should not assume automatic reciprocity.
-
Is Pilotcore an official CPCSC certification body?
No. Pilotcore provides CPCSC readiness, implementation support, documentation support, and evidence-preparation support. We are not an accredited certification body, we do not issue official CPCSC certifications, and we do not guarantee assessment outcomes. For Level 1, suppliers complete an annual self-assessment when the contract requires it. Higher-level official assessments use accredited certification bodies or third-party assessors under Canadian program rules.
-
What is the first step if we are not sure CPCSC applies to us?
Start with an applicability and scope review. The solicitation language, your supplier role, the data you handle, the systems involved, and the procurement timeline determine the right readiness path. A short readiness call can help you scope this before committing to remediation spend.
Ready to talk about your CPCSC plan?
Book a 30-minute readiness call. We'll cover your current ITSP.10.171 posture, realistic timeline, and whether you need a full engagement, a narrow remediation sprint, documentation cleanup, or no consultant yet.